As a Service Provider connected to SURFconext, you must comply with laws and regulations concerning privacy and the safety of personal data you process about end users. Within SURFconext, this is covered by an agreement (aansluitovereenkomst or bemiddelingsovereenkomst). Also, you are requested to oblige to the 'Framework of Legal Standards for Cloud Services in Higher Education'.
Within eduGAIN: GÉANT Data Protection Code of Conduct
Trustworthy exchange of attributes between federations
In an interfederation (i.e., eduGAIN) context, every federation has its own set of agreements and contracts. There usually are some differences between those federations. To enable trustworthy exchange of attributes between organisations from different federations, it proved to be necessary to establish a document about privacy and data protection laws that is equal for all organisations. This document is called the GÉANT Data Protection Code of Conduct. It describes an approach to meet the requirements of the EU data protection directive.
Organisations are advised to support this document to state they are a reliable partner. This will help Identity Providers from other federations to trust your service, therefore making it easier to connect their Identity Provider to your service. In a number of federations, even automatically.
How to commit to the Code of Conduct
Before you continue, please note that the agreements used by SURFconext and the Code of Conduct are almost identical. The only difference is that the Code of Conduct is more strict when it comes to information duty towards end users. Before being able to sign the Code of Conduct, you must make sure you can comply with that principle by setting up an internal process. The rest of the principles mentioned in the Code of Conduct should not pose any barriers, since they are also mentioned in the SURFconext agreements.
Please contact firstname.lastname@example.org if you have any questions.
Adding the Code of Conduct to your metadata
After signing the Code of Conduct and taking all the necessary steps mentioned on this page, you can declare having signed the Code of Conduct in your metadata. Since SURFconext publishes your metadata to eduGAIN, please contact email@example.com to complete this final step.